ATT&CK Evaluation APT29 Emulation Plan Added to the Emulation Plan Library

In April 2020, we released the results and methodology from our APT29 ATT&CK Evaluation. While this post announces the re-release of this plan in the Center for Threat-Informed Defense emulation plan format, we would be remiss if we did not acknowledge renewed interest in APT29 due to press reports of a connection to the recent SolarWinds supply chain injection. Industry reporting on related intrusions has been unable to confirm a connection to APT29 at time of this release, and has instead tracked the activity variously as UNC2452, Dark Halo, and StellarParticle. The APT29 emulation plans address activity exhibited by APT29 in 2018 and earlier, and this release is independent of the SolarWinds supply chain injection.

The Re-release of the APT29 Emulation Plan

Most people know of ATT&CK Evaluations for its openly available results that solution providers use to highlight and describe their product performance, and industry uses to help compare products to enable more informed decisions. With each round of results, ATT&CK Evaluations releases its methodology to provide context to the results, to ensure reproducibility of our process, and to enable end users to add their own variances (e.g., normal system noise, different configurations, different solutions) to create tailored results based on their needs.

Our methodology is comprised of multiple components. The evaluation process, detection categories, and environment setup all play a key component to capture how and where we evaluate, as well as how we describe results. But the crucial piece that makes each round unique is the emulation plan. The emulation plan is the step-by-step actions the red team takes to mimic the adversary behavior in a consistent and repeatable fashion.

Trying to find the optimal way of presenting this information in a reusable format has been an evolving endeavor from the original ATT&CK APT3 plan to the ATT&CK Evaluation APT3 and APT29 plans. While each of these emulation plans are used by people across industry, common feedback we received was that they require sophisticated users to leverage the content. ATT&CK Evaluations went a step further to address accessibility by creating Do It Yourself Evaluations, which implemented CALDERA adversary profile representations of our emulation plans. Unfortunately, these implementations were strictly tied to specific versions of CALDERA, so their shelf life was limited.

Fortunately, the Center for Threat-Informed Defense has taken on the challenge of how to represent emulation content through its Adversary Emulation Plan Library project that uses our lessons learned as a starting point and seeks to evolve and standardize how the content is represented. The benefits of this are multifaceted but include the fact that CALDERA and similar tooling can create parsers that can ingest the standardized YAML format to improve the usability of our evaluation content.

Now that there is a common representation for emulation plan content, we are supporting its use in the ATT&CK Evaluation program. We have initially taken our APT29 content and restructured it to adopt the new format. This required some compromises on both sides that we outline in detail below. We will then be using the new format in our upcoming release of the Carbanak and FIN7 emulation content. This helps ensure that ATT&CK Evaluation methodologies are as broadly adoptable and usable as possible.

APT29 Plan Structure

The APT29 emulation plan contains the two scenarios used during the 2019 ATT&CK Evaluations. Each scenario represents alternate paths through the general operational flow derived from threat intelligence:

• Scenario 1: This scenario starts with a “smash-and-grab” then rapid espionage mission that focuses on gathering and exfiltrating data, before transitioning to stealthier techniques to achieve persistence, further data collection and credential access, and lateral movement. The scenario ends with the execution of previously established persistence mechanisms.
• Scenario 2: This scenario consists of a stealthier and slower approach to compromising the initial target, establishing persistence, gathering credential materials, then finally enumerating and compromising the entire domain. The scenario ends with a simulated time-lapse where previously established persistence mechanisms are executed.

In the operational flow, a number of representative phases capture logical groupings of adversary behavior. This high-level view is meant to capture the essence of the reported adversary intent, while the more granular breakdown is available within the scenario. This is where you will find the traditional ten steps per scenario used during our evaluation process.

As with the FIN6 emulation plan, in addition to the markdown representation, you will find a machine readable YAML representation of the scenarios and an intelligence summary. You will also find an archive where you will find the original ATT&CK Evaluation emulation content, and the scripts used during the evaluation.

Next Steps

To continue to make our content as accessible as possible, as well as do our part to drive to a standardized representation of emulation content, we will be releasing the upcoming Carbanak and FIN7 emulation plans in the Center’s format. If you have feedback on this plan, the FIN6 plan, or any of the future releases, please reach to the ATT&CK Evaluations or Center for Threat-Informed Defense.

© 2021 MITRE Engenuity. Approved for Public Release. Document number AT0008.